UNITED STATES OF AMERICA 0723013

FEDERAL TRADE COMMISSION

COMMISSIONERS: Deborah Platt Majoras, Chairman

Pamela Jones Harbour
Jon Leibowitz
William E. Kovacic
J. Thomas Rosch
__________________________________________
)
In the Matter of )
)
GOAL FINANCIAL, LLC, )
a limited liability company. )
)
) DOCKET NO. C-
__________________________________________)

COMPLAINT

The Federal Trade Commission (“Commission”), having reason to believe that Goal
Financial, LLC has violated the provisions of the Commission’s Standards for Safeguarding
Customer Information Rule (“Safeguards Rule”), 16 C.F.R. Part 314, issued pursuant to Title V,
Subtitle A of the Gramm-Leach-Bliley Act (“GLB Act”), 15 U.S.C. § 6801-6809; the
Commission’s Privacy of Customer Financial Information Rule (“Privacy Rule”), 16 C.F.R. Part
313, issued pursuant to the GLB Act; and the provisions of the Federal Trade Commission Act,
and it appearing to the Commission that this proceeding is in the public interest, alleges:

1. Respondent Goal Financial, LLC, (“Goal Financial”) is a California limited liability

company with its principal office or place of business at 9477 Waples Street, Suite 100,
San Diego, California 92121.

2. The acts and practices of respondent alleged in this complaint have been in or affecting
commerce, as “commerce” is defined in Section 4 of the FTC Act.

3. Respondent markets and originates a variety of student loans, and provides loan related
services.

4. In the course of its business, respondent collects personal information from consumer
loan applications and other sources. The information includes name; address; telephone
number; driver’s license number; Social Security number; date of birth; and income, debt,
and employment information. Respondent retains the personal information in paper
documents and also stores and maintains the information in an electronic database.

Page 1 of 4
5. Since at least September 1, 2004, respondent has engaged in a number of practices that,
taken together, failed to provide reasonable and appropriate security for consumers’
sensitive personal information, including Social Security numbers, dates of birth, and
income and employment information. In particular, respondent has:

(1) failed to assess adequately risks to the information it collected and stored in its
paper files and on its computer network;

(2) failed to restrict adequately access to personal information stored in its paper files
and on its computer network to authorized employees;

(3) failed to implement a comprehensive information security program, including

reasonable policies and procedures in key areas such as the collection, handling,
and disposal of personal information;

(4) failed to provide adequate training to employees about handling and protecting
personal information and responding to security incidents; and

(5) failed in a number of instances to require third-party service providers by contract

to protect the security and confidentiality of personal information.

6. In 2005 and 2006, respondent’s employees exploited the failures enumerated in paragraph
5 and were able to remove without authorization more than 7000 consumer files
containing sensitive information and transfer them to third parties. Further, in 2006, an
employee sold to the public hard drives that had not been processed to remove the data on
the drives, thus exposing in clear text the sensitive personal information of approximately
34,000 consumers.

VIOLATIONS OF THE SAFEGUARDS RULE

7. The Safeguards Rule, which implements Section 501(b) of the GLB Act, 15 U.S.C.
§ 6801(b), was promulgated by the Commission on May 23, 2002, and became effective
on May 23, 2003. The Rule requires financial institutions to protect the security,
confidentiality, and integrity of customer information by developing a comprehensive
written information security program that contains reasonable administrative, technical,
and physical safeguards, including: (1) designating one or more employees to coordinate
the information security program; (2) identifying reasonably foreseeable internal and
external risks to the security, confidentiality, and integrity of customer information, and
assessing the sufficiency of any safeguards in place to control those risks; (3) designing
and implementing information safeguards to control the risks identified through the risk
assessment, and regularly testing or otherwise monitoring the effectiveness of the
safeguards’ key controls, systems, and procedures; (4) overseeing service providers, and

Page 2 of 4
 requiring them by contract to protect the security and confidentiality of customer
information; and (5) evaluating and adjusting the information security program in light of
the results of testing and monitoring, changes to the business operation, and other
relevant circumstances.

8. Respondent is a “financial institution,” as that term is defined in Section 509(3)(A) of the

GLB Act, 15 U.S.C. § 6809(3)(A).

9. As set forth in Paragraph 5, respondent has failed to implement reasonable security

policies and procedures, and has thereby engaged in violations of the Safeguards Rule,
by, among other things:

A. Failing to identify reasonably foreseeable internal and external risks to the

security, confidentiality, and integrity of customer information;

B. Failing to design and implement information safeguards to control the risks to

customer information or to regularly test or monitor their effectiveness;

C. Failing to develop, implement, and maintain a comprehensive written information

security program; and

D. Failing to require service providers by contract to implement safeguards to protect

the security and confidentiality of customer information.

VIOLATIONS OF THE FTC ACT

10. Since at least November 9, 2005, respondent has disseminated or caused to be

disseminated to consumers privacy policies and statements, including, but not limited to
the following:

Our Security Policies and Practices

Access to nonpublic personal information about you is limited to

those employees who need to know such information to provide
products or services to you. We maintain physical, electronic, and
procedural safeguards that comply with federal regulations to guard
your nonpublic personal information.

(Goal Financial, LLC Privacy Policy, attached as Exhibit A.)

11. Through the means set forth in Paragraph 10, respondent represented, expressly or by
implication, that it implements reasonable and appropriate measures to protect personal
information from unauthorized access.

Page 3 of 4
12. In truth and in fact, as set forth in Paragraph 5, respondent did not implement reasonable
and appropriate measures to protect personal information from unauthorized access.
Therefore, the representation set forth in Paragraph 11 was, and is, false or misleading.

VIOLATION OF THE PRIVACY RULE

13. The Privacy Rule, which implements Sections 501-509 of the GLB Act, 15 U.S.C.
§ 6801(b), was promulgated by the Commission on May 24, 2000, and became effective
on July 1, 2001. The Rule requires financial institutions to provide customers, no later
than when a customer relationship arises and annually for the duration of that
relationship, “a clear and conspicuous notice that accurately reflects [the financial
institution’s] privacy policies and practices” including its security policies and practices.
16 C.F.R. §§ 313.4(a); 313.5(a)(1); § 313.6(a)(8).

14. As set forth in Paragraphs 10 through 12, respondent disseminated a privacy policy that
contained false or misleading statements regarding the measures implemented to protect
consumers’ personal information. Therefore, respondent disseminated a privacy policy
that does not accurately reflect its privacy policy, including its security policies and
practices, in violation of the Privacy Rule.

15. The acts and practices of respondent as alleged in this complaint constitute unfair or
deceptive acts or practices, in or affecting commerce, in violation of Section 5(a) of the
Federal Trade Commission Act.

THEREFORE, the Federal Trade Commission this _______ day of ______________,

2008, has issued this complaint against respondent.

By the Commission.

Donald S. Clark
Secretary

Page 4 of 4
 Analysis of Proposed Consent Order to Aid Public Comment
In the Matter of Goal Financial, LLC, File No. 0723013
_____________________________________________________________________________

The Federal Trade Commission has accepted, subject to final approval, a consent
agreement from Goal Financial, LLC (“Goal Financial”).

The proposed consent order has been placed on the public record for thirty (30) days for
receipt of comments by interested persons. Comments received during this period will become
part of the public record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should withdraw from the
agreement and take appropriate action or make final the agreement’s proposed order.

Goal Financial markets and originates a variety of student loans and provides loan-
related services. In conducting its business, Goal Financial routinely obtains personal
information from loan applications and other sources, including name, address, telephone
number, driver’s license number, Social Security number, date of birth, and income, debt, and
employment information. Goal Financial, therefore, is a “financial institution” subject to the
requirements of the Gramm-Leach-Bliley (“GLB”) Safeguards Rule and Privacy Rule. This
matter concerns Goal Financial’s alleged violations of the GLB Safeguards Rule, the GLB
Privacy Rule, and Section 5 of the Federal Trade Commission (“FTC”) Act.

The Commission’s proposed complaint alleges that Goal Financial engaged in a number
of practices that, taken together, failed to employ reasonable and appropriate security measures
to protect personal information. In particular, Goal Financial failed: (1) to assess adequately
risks to the information it collected and stored in its paper files and on its computer network; (2)
to restrict adequately access to personal information stored in its paper files and on its computer
network to authorized employees; (3) to implement a comprehensive information security
program, including reasonable policies and procedures in key areas such as the collection,
handling, and disposal of personal information; (4) to provide adequate training to employees
about handling and protecting personal information and responding to security incidents; and (5)
in a number of instances to require third-party service providers by contract to protect the
security and confidentiality of personal information. As a result of these alleged failures, Goal
Financial put at risk the sensitive information of more than 41,000 consumers.

The complaint alleges that these security failures violated the GLB Safeguards Rule. In
addition, the complaint alleges that Goal Financial misrepresented that it implemented
reasonable and appropriate security measures to protect personal information from unauthorized
access, in violation of Section 5 of the FTC Act. Further, the proposed complaint alleges that
Goal Financial disseminated a privacy policy that does not accurately reflect its privacy
practices, including its security policies and practices, in violation of the GLB Privacy Rule.

The proposed order applies to personal information Goal Financial collects from or about
consumers in connection with its student loan and related services and contains provisions

1
designed to prevent Goal Financial from engaging in the future in practices similar to those
alleged in the complaint.

Part I of the proposed order requires that Goal Financial not misrepresent the extent to
which it maintains and protects the privacy, confidentiality, or integrity of any personal
information collected from or about consumers.

Part II of the proposed order requires Goal Financial to establish and maintain a
comprehensive information security program in writing that is reasonably designed to protect the
security, confidentiality, and integrity of personal information it collects from or about
consumers. The security program must contain administrative, technical, and physical
safeguards appropriate to its size and complexity, the nature and scope of its activities, and the
sensitivity of the personal information collected. Specifically, the order requires Goal Financial
to:

• Designate an employee or employees to coordinate and be accountable for the

information security program.

• Identify material internal and external risks to the security, confidentiality, and
integrity of consumer information that could result in unauthorized disclosure,
misuse, loss, alteration, destruction, or other compromise of such information,
and assess the sufficiency of any safeguards in place to control these risks.

• Design and implement reasonable safeguards to control the risks identified

through risk assessment, and regularly test or monitor the effectiveness of the
safeguards’ key controls, systems, and procedures.

• Develop and use reasonable steps to retain service providers capable of

appropriately safeguarding personal information they receive from Goal
Financial, require service providers by contract to implement and maintain
appropriate safeguards, and monitor their safeguarding of personal information.

• Evaluate and adjust its information security program in light of the results of
testing and monitoring, any material changes to its operations or business
arrangements, or any other circumstances that it knows or has reason to know
may have a material impact on the effectiveness of its information security
program.

Part III of the proposed order requires that Goal Financial not violate any provision of the
GLB Safeguards Rule and Privacy Rule.

Part IV of the proposed order requires that Goal Financial obtain, within 180 days after
being served with the final order approved by the Commission, and on a biennial basis thereafter
for ten (10) years, an assessment and report from a qualified, objective, independent third-party
professional, certifying that: (1) Goal Financial has in place a security program that provides

2
protections that meet or exceed the protections required by Parts II and IIIA of the proposed
order, and (2) its security program is operating with sufficient effectiveness to provide
reasonable assurance that the security, confidentiality, and integrity of nonpublic personal
information has been protected. This provision is substantially similar to comparable provisions
obtained in prior Commission orders under the Safeguards Rule and Section 5 of the FTC Act.

Parts V through IX of the proposed order are reporting and compliance provisions. Part
V requires Goal Financial to retain documents relating to its compliance with the order. For
most records, the order requires that the documents be retained for a five-year period. For the
third-party assessments and supporting documents, Goal Financial must retain the documents for
a period of three years after the date that each assessment is prepared. Part VI requires
dissemination of the order now and in the future to persons with responsibilities relating to the
subject matter of the order. Part VII ensures notification to the FTC of changes in company
status. Part VIII mandates that Goal Financial submit an initial compliance report to the FTC,
and make available to the FTC subsequent reports. Part IX is a provision “sunsetting” the order
after twenty (20) years, with certain exceptions.

The purpose of this analysis is to facilitate public comment on the proposed order. It is
not intended to constitute an official interpretation of the proposed order or to modify its terms in
any way.